valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
981 Commits 20 Branches 25 Tags 21 MiB
9235175e26
Commit Graph

545 Commits

Author SHA1 Message Date
Thomas Patzke
9235175e26
Fixed rule 
* Added condition
* Replaced Description wirh Image attribute and improved search pattern
 2018-08-23 08:20:28 +02:00
Nik Seetharaman
e371d945ed Add Microsoft Workflow Compiler Sysmon Detection 2018-08-18 00:53:28 -05:00
Florian Roth
4e91462838 fix: Bugfix in Adwind rule 2018-08-15 12:33:03 +02:00
Florian Roth
92dc08a304 rule: Added recon command 2018-08-15 12:33:03 +02:00
Florian Roth
7c05b85bcd rule: Added malware UA 2018-08-15 12:33:03 +02:00
Thomas Patzke
2c0e76be3d
Escaped * where required 2018-08-10 13:53:08 +02:00
Lurkkeli
7cdc13ef11
Update 2018-08-08 17:05:51 +02:00
Lurkkeli
392351af25
Adding ATT&CK tag 2018-08-08 16:43:54 +02:00
Lurkkeli
4d721f1803
Updating fps 2018-08-08 16:42:26 +02:00
Lurkkeli
b9f433414d
hiding files with attrib.exe 2018-08-08 16:19:39 +02:00
Thomas Patzke
01215a645e
Merge pull request #145 from yt0ng/master 
DNS TXT Answer with possible execution strings
 2018-08-08 15:58:34 +02:00
Thomas Patzke
58afccb2f3
Fixed ATT&CK tagging 2018-08-08 15:58:19 +02:00
yt0ng
e44b4f450e
DNS TXT Answer with possible execution strings 
https://twitter.com/stvemillertime/status/1024707932447854592
 2018-08-08 15:51:56 +02:00
Thomas Patzke
92c0e0321a
Merge pull request #144 from samsson/patch-7 
Added att&ck tags
 2018-08-07 11:19:36 +02:00
Lurkkeli
a245820519
added att&ck tag 2018-08-07 08:54:53 +02:00
Lurkkeli
294677a2cc
added att&ck tag 2018-08-07 08:50:01 +02:00
Lurkkeli
a57e87b345
added att&ck tag 2018-08-07 08:49:05 +02:00
Lurkkeli
99253763af
added att&ck tag 2018-08-07 08:45:58 +02:00
Lurkkeli
0bff27ec21
added att&ck tactic 
added att&ck tactic, no specific techniques applicable
 2018-08-07 08:37:51 +02:00
Lurkkeli
198cb63182
added att&ck tactic 
added att&ck tactic, no specific techniques applicable
 2018-08-07 08:36:53 +02:00
Thomas Patzke
518e21fcd2
Merge pull request #134 from nikseetharaman/sysmon_cmstp_com_object_access 
Add CMSTP UAC Bypass via COM Object Access
 2018-08-07 08:33:33 +02:00
Thomas Patzke
b9fdf07926
Extended tagging 2018-08-07 08:33:18 +02:00
Lurkkeli
b50c13dd1f
Update att&ck tag 2018-08-07 08:27:24 +02:00
Thomas Patzke
5d5d42eb9b
Merge pull request #140 from yt0ng/master 
Possible Shim Database Persistence via sdbinst.exe
 2018-08-07 08:22:32 +02:00
Thomas Patzke
80eaedab8b
Fixed tag and date 2018-08-07 08:22:11 +02:00
Thomas Patzke
3509fbd201
Merge pull request #142 from samsson/patch-5 
Added ATT&CK tag
 2018-08-07 08:20:22 +02:00
Thomas Patzke
b049210641
Fixed tags 2018-08-07 08:20:09 +02:00
Lurkkeli
3456f9a74d
Update sysmon_susp_wmi_execution.yml 2018-08-07 08:19:58 +02:00
Thomas Patzke
64fa3b162d
Tag fixes 2018-08-07 08:18:16 +02:00
Lurkkeli
6472be5e19
Update sysmon_uac_bypass_sdclt.yml 2018-08-07 08:08:53 +02:00
Lurkkeli
21bee17ffd
Update sysmon_uac_bypass_eventvwr.yml 2018-08-07 08:07:49 +02:00
yt0ng
fc091fe3d7
Added ATTCK Mapping 2018-08-05 14:00:22 +02:00
yt0ng
b65cb5eaca
Possible Shim Database Persistence via sdbinst.exe 2018-08-05 13:55:04 +02:00
Thomas Patzke
0e986cae4d Fixed log source and field names 2018-08-04 22:58:19 +02:00
Florian Roth
acfdb591d0 fiox: Typo in description fixed 2018-07-29 16:22:39 +02:00
Florian Roth
1f845aa1d9 fix: Changed suspicious process creation rule to avoid FPs 2018-07-29 16:22:09 +02:00
Nik Seetharaman
b938fdb0a3 Add CMSTP UAC Bypass via COM Object Access 2018-07-27 02:28:28 -05:00
James Dickenson
5fc118dcac added a few mitre attack tags to windows sysmon rules 2018-07-26 21:15:07 -07:00
Florian Roth
a9fcecab88
Merge pull request #130 from samsson/patch-4 
Fixed typo / Created a rule
 2018-07-26 22:34:46 +02:00
Florian Roth
016b15a2a9
Added quotation marks 
I've added quotation marks to make it clearer (leading dash looks weird)
 2018-07-26 18:10:21 +02:00
Lurkkeli
7796492c2b
Update powershell_NTFS_Alternate_Data_Streams 2018-07-26 08:54:08 -07:00
Thomas Patzke
5e3211928f
Merge pull request #132 from dspautz/master 
Add tags to APT rules
 2018-07-25 09:57:35 +02:00
David Spautz
f039f95f4d Add tags to APT rules 2018-07-25 09:50:01 +02:00
Florian Roth
089498b0b3
Merge pull request #131 from yt0ng/master 
Possible SafetyKatz Dump of debug.bin
 2018-07-25 07:41:38 +02:00
Florian Roth
dd857c4470
Cosmetics 
If it's only 1 value we write it like this to avoid it being interpreted as a list with 1 element and to avoid an extra line.
 2018-07-25 07:37:17 +02:00
Florian Roth
cf7f5c7473
Changes 
I think that this is what you've wanted, right? If both keywords appear in a single log entry, right? 
Don't you think that this still causes false positives? Could "set-content" and "stream" be more common than expected?
 2018-07-25 07:35:59 +02:00
yt0ng
b415fc8d42
Possible SafetyKatz Dump of debug.bin 
https://github.com/GhostPack/SafetyKatz
 2018-07-24 23:51:46 +02:00
Lurkkeli
db82322d17
Update powershell_NTFS_Alternate_Data_Streams 2018-07-24 20:03:07 +02:00
Lurkkeli
0e9c5bb14a
Update sysmon_rundll32_net_connections.yml 2018-07-24 20:01:47 +02:00
Lurkkeli
fd8c5c5bf6
Update powershell_NTFS_Alternate_Data_Streams 2018-07-24 20:00:21 +02:00